Shulou(Shulou.com)05/31 Report--

LUA reverse how to use idaPro debugging so library to obtain xxtea decryption key, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can get something.

First of all, we need to obtain the script resources in apk. You can extract the apk installation package directly with 360. you will get the following directory:

Among them, the lib directory contains the so library files we need to debug, the file name is usually libcocos2dlua.so or with the word cocos, of course, there are exceptions, we need to crack this app is somewhat different, the name is libgame.so, no matter how the name changes, drag it to idaPro to know whether to use the cocos2dlua framework. The assets directory contains lua encryption scripts and resources.

To dynamically debug app, you need to prepare the app running environment, real machine or simulator. Simulators are not recommended. There are too many holes. I have tried several simulators (Lightning, Tiantian, mumu) to build the debugging environment is almost a failure, but the official Android simulator is OK (several times are successful, there are failures), need to install Android-sdk, Android-ndk, but the speed is very slow, so it is recommended to directly on the real machine.

Next, you need to download the adb Android debugging tool and add it to the path variable. After the phone is connected through usb, you can use the adb command to operate the phone, open cmd, and type adb to see the help command:

Find the android_server file in the installation path of idaPro on your computer, copy it to your phone with adb and authorize it:

If the process mode is added after the program is run, the mobile phone needs to run idaPro's android_server and use adb to map the port to the computer. If the computer and the phone are in the same local area network, there is no need for mapping. As shown below:

Run app on mobile phone:

IdaPro remote debugging additional processes:

If you are debugging in the local area network and do not use adb forward mapping, change the ip address to your mobile phone ip address:

Double-click the selected thread to debug:

Then, select the module you want to debug in the module view, here is libgame.so, and the following program memory view can choose to synchronize with the disassembly view above:

When some app is cracked, you need to debug at the entrance of the program, so you need to do more. On the Internet, you need to first take the following steps: first, make sure that the android:debuggable attribute value of the application node of the mainframexml file in apk is 1, so you need to reverse the apk, modify the value, then compile it, and find the package name and entry function of app. All these can be done with ready-made tools. When you can also use the command (eg: view aapt dump xmltree dashen.apk AndroidManifest.xml > manifest.xml to compile: java-jar apktool.jar b-d out-o dashen.apk) After that, you need to enable app (adb shell am start-D-ncom.yaotong.crackme/.MainActivity) in debug mode, and the phone will have a debug interface:

At this point, the program stops at the program entrance, then idapro is used to attach debugging, and then jdb-connect com.sun.jdi.SocketAttach:hostname=127.0.0.1,port=8700 is used to notify the program to continue running, and the idapro side can continue debugging.

Here is another way to set the ro.debuggable of default.prop in the Android root directory to 1 (getprop, setprop), forcing all app to be debugged so that you don't have to modify the app and repackage it. To make it clear here, when jdbconnect fails, it is shown in the figure:

It is said that it is due to the apk android:debuggable attribute. The real reason for my test here is that the DDMS (DalvikDebug Monitor Service) virtual machine debugging and monitoring service is not enabled. The port number 8700 is the default service port number. If the service is not enabled, it will not connect to VM. Therefore, you need to open the script in the DDMS,Android sdk tools directory that enables DDMS. Let's open DDMS:

The port number of the process we want to debug is 8626Universe 8700, so we can connect either of these two ports with jdb.

During debugging, one more thing to note is to turn off SELinux,setenforce 0

So much for idaPro debugging. Next, we use idaPro to crack the Great God app. The Great God app is based on the xxtea encryption used by cocos2dlua,cocos2dlua. We can download the source code and open it with vs:

In vs, Shift+F12 tracks calls to xxtea_decrypt:

One is in luaLoadBuffer:

From the function name, we should be able to guess that one is to decrypt the zip file when decompressing, and the other is to decrypt the string buffer, which we will not discuss, we only need to break under these two functions, and when the function calls xxtea_decrypt, we can crack the key used for xxtea decryption. Now we already know the key to cracking app, that is, xxtea_decrypt and directly related luaLoadBuffer and luaLoadChunksFromZIP functions.

Next, let's take a look at apk, extract the apk, and drag and drop the libgame.so under the lib directory to idaPro to open:

General cocos2dluaapp does not strengthen the encryption of xxtea, there is a way to get xxtea decryption key, according to what is said on the Internet, directly open the encrypted lua file, get sign, and then open the string view of idaPro, search sign, double-click in, there will be xxtea key near sign, you can try it out, there are detailed steps on the Internet, and we will not mention any more here. The app we cracked is optimized for security, and the above method is not applicable.

Go on, just now we read the cocos2d source code to learn about the breakthrough function xxtea_decrypt and the directly related luaLoadBuffer and luaLoadChunksFromZIP of the great god app. We check the function export table in idaPro to confirm whether the function name is consistent with the source code. The export table is as follows:

There are no export functions associated with xxtea. Let's search LoadChunk again:

No, no. Let's take a look at loadbuf:

We see three, and the first one obviously looks like the one we saw in the source code:

We learned earlier that the function luaLoadBuffer will call xxtea_decrypt to decrypt the script. Although the app has been securely optimized and the name of the xxtea_decrypt function can no longer be seen, there must be a decryption function equivalent to xxtea_decrypt. Let's decompile it with F5 and check it out in detail:

Obviously, _ byds_d_ is the encryption function we are looking for equivalent to xxtea_decrypt, which we will look at in the _ byds_d_ function.

Combined with the coco2dlua source code, let's take a look at the xxtea_decrypt function source code:

Obviously, the effect of the function body is the same. So far, we have determined the breakthroughs for downloading app: _ byds_d_ and luaLoadBuffer. In dynamic debugging, when breaking under these two functions, if nothing happens, we should be able to crack the key of xxtea. We know that in cocos2dlua, the main way to interact with app is to load the lua,lua runtime, so you can directly attach debugging after running app on the mobile side.

As mentioned earlier, use idaPro to attach debugging to the god app process (com.qipai.n1) and search the modules window for the libgame module:

Double-click to enter, it will display the function table in this module, and search for luaLoadBuffer, _ byds_d_:

Click in and disconnect separately, and set the memory window to synchronize with the program window:

Then the mobile operating program, let's take a look at the actual parameter value of _ byds_d_:

We know that the third parameter of the function, A3, is the key value we want, and in the C++ call specification, the parameter is from right to left, and register R2 is where our key is stored. We see that R2 is a memory address, so we need to look at the memory represented by R2 to see the value. In fact, if we place the mouse over R2, the value stored in its memory will automatically appear, but it is not complete, so we can synchronize to R2 through the memory window to check the value at the address of R2:

So far, we have decrypted xxtea l or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.